Privacy Policy
Last updated: 2026-05-05.
This policy explains what personal data CertSelect collects, why we collect it, the lawful basis on which we process it, who we share it with, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), Canada's PIPEDA, Brazil's LGPD, and the Australian Privacy Act.
1. Who we are (data controller)
CertSelect is published by Kulik Media UG (haftungsbeschränkt), a German Unternehmergesellschaft. The full legal-imprint details — registered address, managing director, commercial register entry, and VAT identification number — are available on our Imprint page. For all data-protection enquiries, write to [email protected].
2. What data we collect
We collect three categories of data:
- Analytics data (Google Analytics 4). When GA4 is active on the site, GA4 sets first-party cookies and collects pseudonymous identifiers, page views, referrer URLs, device type, approximate location derived from IP (city-level, not stored), and aggregated session metrics. IP addresses are anonymised by GA4 before storage. GA4 is not active on every page at the time of this policy's publication; it will be activated incrementally and a banner consent prompt will appear before any non-essential cookie is set.
- Server logs (Cloudflare CDN). Our hosting provider, Cloudflare, retains short-lived edge logs containing IP address, request timestamp, requested URL, response status, and user-agent string. These logs are used for abuse prevention, rate-limiting, and DDoS mitigation. Retention is governed by Cloudflare's policy — typically four hours to seven days for raw logs.
- Contact-email submissions. When you email us at [email protected] we receive your email address, your message, and any attachments you choose to include. We use this only to reply to you.
We do not knowingly collect data from children under 16. We do not collect special-category data (health, political opinion, religion, biometric, sexual orientation) and ask that you not include any in correspondence.
3. Why we collect it (purposes)
- Analytics: to understand which pages and articles readers find useful, so we can prioritise editorial work.
- Abuse prevention and operational security: server logs and Cloudflare edge data are processed to mitigate denial-of-service attacks, scraping, and credential-stuffing attempts.
- Support and correction handling: we reply to factual-correction emails and partnership enquiries.
4. Lawful basis (GDPR Art. 6)
- Legitimate interest (Art. 6(1)(f)) — for server-log retention, security and abuse prevention, and the small set of strictly necessary first-party cookies that keep the site functioning.
- Consent (Art. 6(1)(a)) — for any non-essential cookie, including Google Analytics, advertising/measurement cookies, and any future cross-site tracking. Consent is collected through a cookie banner before the cookie is set, can be refused without losing access to the site, and can be withdrawn at any time.
- Contract (Art. 6(1)(b)) — when you ask us to respond to a query, we process the email address you supplied for the duration of that conversation.
For UK readers, equivalent bases under the UK GDPR apply. For Brazilian readers, equivalent bases under LGPD Art. 7 apply (legitimate interest, consent, contract execution).
5. Cookies
The cookies that may be set when you visit CertSelect are:
| Cookie / storage key | Set by | Purpose | Retention | Consent required |
|---|---|---|---|---|
__cf_bm | Cloudflare | Bot management / abuse prevention | 30 minutes (rolling) | No (strictly necessary) |
cf_clearance | Cloudflare | CAPTCHA challenge clearance | 30 days | No (strictly necessary) |
_ga, _ga_<id> | Google Analytics 4 | Analytics — pseudonymous user / session identification | 13 months | Yes |
analytics_storage | GA4 Consent Mode | Records analytics-cookie consent state | 13 months | Records consent itself |
ad_storage (placeholder) | GA4 Consent Mode | Reserved for any future advertising/measurement integration. We do not currently run advertising cookies. | n/a | Yes (when activated) |
You can refuse non-essential cookies through the consent banner. You can also clear cookies in your browser settings at any time.
6. Affiliate links
CertSelect carries affiliate links to course platforms and training partners. Affiliate networks (Impact, Awin, and direct-program partners) typically set their own cookies on the destination site after you click an affiliate link. CertSelect does not set those cookies on this site, but the destination site does — please consult that site's privacy notice. The full list of affiliate programs we use, and our conflict-of-interest policy, is on the Methodology page.
7. Third parties we share data with
We share data only with the providers that operate the site and with partners that you choose to interact with:
- Google Analytics 4 (Google Ireland Ltd / Google LLC) — analytics processing. Data may be transferred to the United States under the EU–US Data Privacy Framework adequacy decision (July 2023). Google's privacy policy: https://policies.google.com/privacy.
- Cloudflare (Cloudflare Inc., USA, with EU subsidiary Cloudflare Germany GmbH) — CDN and DDoS protection. Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/.
- Affiliate networks — Impact (impact.com), Awin (awin.com), and direct-program partners. These act as independent data controllers when you click an affiliate link. Their privacy notices apply on their domains.
We do not sell personal data. We do not share personal data with advertising networks for cross-site tracking or for the construction of targeted-advertising profiles.
8. International transfers
Some of our processors (Google, Cloudflare) operate infrastructure in the United States. Where personal data is transferred outside the European Economic Area or the United Kingdom, transfers are made under the EU–US Data Privacy Framework adequacy decision (Google), Standard Contractual Clauses (Cloudflare), or, for transfers to other jurisdictions, equivalent safeguards. You may request a copy of the safeguards used by writing to [email protected].
9. Retention
- Analytics data — retained for 12 months in our Google Analytics 4 property, then automatically purged.
- Cloudflare edge logs — retained per Cloudflare's standard policy (raw logs typically 4 hours to 7 days; aggregated security analytics longer).
- Support emails — retained for up to 24 months to allow follow-up on factual corrections, then deleted unless the correspondence is part of an active matter.
10. Your rights
Under the GDPR / UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to legal exceptions.
- Restriction — ask us to stop processing your data while a dispute is resolved.
- Portability — receive your data in a machine-readable format and transfer it elsewhere.
- Objection — object to processing carried out under our legitimate interest.
- Withdraw consent — at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint — with your local data-protection authority. In Germany this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (or the BfDI). EU readers may also contact their national authority. UK readers may contact the Information Commissioner's Office (ICO).
To exercise any of these rights, write to [email protected]. We respond within 30 days as required by GDPR Art. 12(3).
11. California residents — CCPA / CPRA addendum
If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you the rights to know what categories of personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information.
We do not sell personal information. We do not "share" personal information for cross-context behavioural advertising as those terms are defined in the CPRA. Because we do not sell or share, we do not currently provide a "Do Not Sell or Share My Personal Information" link — but we document that fact here so that California readers can rely on it. If we ever begin a practice that triggers that requirement, we will publish the link before doing so.
To exercise any CCPA / CPRA right, write to [email protected]. We will not discriminate against you for exercising a CCPA right.
12. Other jurisdictions
- Canada (PIPEDA). You have the right to access and correct your personal information and to file a complaint with the Office of the Privacy Commissioner of Canada.
- Australia (Privacy Act 1988). You have the right to access and correct your personal information and to complain to the Office of the Australian Information Commissioner.
- Brazil (LGPD). You have the rights set out in LGPD Art. 18 and may complain to the Autoridade Nacional de Proteção de Dados (ANPD).
13. Security
The site is served over HTTPS with TLS 1.2 or later. Our hosting provider (Cloudflare Pages) provides DDoS protection and edge filtering. We do not store payment data and do not operate a user-account system, so the attack surface for personal data is limited to the categories described above.
14. Changes to this policy
If we change this policy, we will update the "Last updated" date at the top of the page and, for material changes (new categories of data, new processors, new lawful bases), publish a brief change-log note in the About page. Continued use of the site after a change indicates acceptance of the revised policy.
15. Contact
Privacy questions, GDPR / CCPA / LGPD requests, or correction requests: [email protected].